![\"Solution](\"/ec5d8dffc77c280fb36713a6958744d9/SolutionArch.webp\"\n)
In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting.
\nCross-site scripting is a security vulnerability and a client-side code injection attack. In this attack, the malicious script is injected into legitimate websites.\nCross-site scripting allows an attacker to act like a victim user and to carry out the actions that the user can perform. The attacker can access the user's data as well.
\nStep 1: Create Asp.NET Core Web Application project in Visual Studio.
\nStep 2: Select type as API in the next step and create the project. You will find a default controller which is created in the controller folder named as WeatherForecastController.cs
\nStep 3: Now create a new folder named Middleware in the root directory.
\nStep 4 : Create a new file AntiXssMiddleware.cs in that Middleware folder.
\nStep 5: Now add the Newtonsoft.json package into your solution
\nBy doing the above steps you will have below structure in your solution.
\n
Step 6: Now edit the AntiXssMiddlewars.cs file and paste below code.
\nusing System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Net;\nusing System.Text;\nusing System.Text.RegularExpressions;\nusing System.Threading.Tasks;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Http;\nusing Newtonsoft.Json;\n\nnamespace AntiXssMiddleware.Middleware\n{\n public class AntiXssMiddleware\n {\n private readonly RequestDelegate _next;\n private ErrorResponse _error;\n private readonly int _statusCode = (int)HttpStatusCode.BadRequest;\n\n public AntiXssMiddleware(RequestDelegate next)\n {\n _next = next ?? throw new ArgumentNullException(nameof(next));\n }\n\n public async Task Invoke(HttpContext context)\n {\n // Check XSS in URL\n if (!string.IsNullOrWhiteSpace(context.Request.Path.Value))\n {\n var url = context.Request.Path.Value;\n\n if (CrossSiteScriptingValidation.IsDangerousString(url, out _))\n {\n await RespondWithAnError(context).ConfigureAwait(false);\n return;\n }\n }\n\n // Check XSS in query string\n if (!string.IsNullOrWhiteSpace(context.Request.QueryString.Value))\n {\n var queryString = WebUtility.UrlDecode(context.Request.QueryString.Value);\n\n if (CrossSiteScriptingValidation.IsDangerousString(queryString, out _))\n {\n await RespondWithAnError(context).ConfigureAwait(false);\n return;\n }\n }\n\n // Check XSS in request content\n var originalBody = context.Request.Body;\n try\n {\n var content = await ReadRequestBody(context);\n\n if (CrossSiteScriptingValidation.IsDangerousString(content, out _)) \n {\n await RespondWithAnError(context).ConfigureAwait(false);\n return;\n }\n await _next(context).ConfigureAwait(false);\n }\n finally\n {\n context.Request.Body = originalBody;\n }\n }\n\n private static async Task<string> ReadRequestBody(HttpContext context)\n {\n var buffer = new MemoryStream();\n await context.Request.Body.CopyToAsync(buffer);\n context.Request.Body = buffer;\n buffer.Position = 0;\n\n var encoding = Encoding.UTF8;\n\n var requestContent = await new StreamReader(buffer, encoding).ReadToEndAsync();\n context.Request.Body.Position = 0;\n\n return requestContent;\n }\n\n private async Task RespondWithAnError(HttpContext context)\n {\n context.Response.Clear();\n context.Response.Headers.AddHeaders();\n context.Response.ContentType = "application/json; charset=utf-8";\n context.Response.StatusCode = _statusCode;\n\n if (_error == null)\n {\n _error = new ErrorResponse\n {\n Description = "Error from AntiXssMiddleware",\n ErrorCode = 500\n };\n }\n\n await context.Response.WriteAsync(_error.ToJSON());\n }\n }\n\n public static class AntiXssMiddlewareExtension\n {\n public static IApplicationBuilder UseAntiXssMiddleware(this IApplicationBuilder builder)\n {\n return builder.UseMiddleware<AntiXssMiddleware>();\n }\n }\n\n\n /// <summary>\n /// Imported from System.Web.CrossSiteScriptingValidation Class\n /// </summary>\n public static class CrossSiteScriptingValidation\n {\n private static readonly char[] StartingChars = { '<', '&' };\n\n #region Public methods\n\n public static bool IsDangerousString(string s, out int matchIndex)\n {\n //bool inComment = false;\n matchIndex = 0;\n\n for (var i = 0; ;)\n {\n\n // Look for the start of one of our patterns \n var n = s.IndexOfAny(StartingChars, i);\n\n // If not found, the string is safe\n if (n < 0) return false;\n\n // If it's the last char, it's safe \n if (n == s.Length - 1) return false;\n\n matchIndex = n;\n\n switch (s[n])\n {\n case '<':\n // If the < is followed by a letter or '!', it's unsafe (looks like a tag or HTML comment)\n if (IsAtoZ(s[n + 1]) || s[n + 1] == '!' || s[n + 1] == '/' || s[n + 1] == '?') return true;\n break;\n case '&':\n // If the & is followed by a #, it's unsafe (e.g. S) \n if (s[n + 1] == '#') return true;\n break;\n\n }\n\n // Continue searching\n i = n + 1;\n }\n }\n\n #endregion\n\n #region Private methods\n\n private static bool IsAtoZ(char c)\n {\n return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');\n }\n\n #endregion\n\n public static void AddHeaders(this IHeaderDictionary headers)\n {\n if (headers["P3P"].IsNullOrEmpty())\n {\n headers.Add("P3P", "CP=\\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\\"");\n }\n }\n\n public static bool IsNullOrEmpty<T>(this IEnumerable<T> source)\n {\n return source == null || !source.Any();\n }\n public static string ToJSON(this object value)\n {\n return JsonConvert.SerializeObject(value);\n }\n }\n\n public class ErrorResponse\n {\n public int ErrorCode { get; set; }\n public string Description { get; set; }\n }\n\n}In the above file we have created the method for checking the Xss in QueryParam, RequestUri and RequestBody.
\nHere we have different methods which are as follows:-
\nReadRequestBody which is used for reading the RequestBody.
\nRespondWithAnError which is used for returning the error.
\nIsDangerousString which is checking if there is any dangerous string like any script in the given string.
\nStep 7: Edit the Startup.cs file and add below line in Configure method.
\napp.UseAntiXssMiddleware();Step 8 : After editing the Startup.cs file will look like below
\nusing System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Threading.Tasks;\nusing AntiXssMiddleware.Middleware;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Hosting;\nusing Microsoft.AspNetCore.HttpsPolicy;\nusing Microsoft.AspNetCore.Mvc;\nusing Microsoft.Extensions.Configuration;\nusing Microsoft.Extensions.DependencyInjection;\nusing Microsoft.Extensions.Hosting;\nusing Microsoft.Extensions.Logging;\n\nnamespace AntiXssMiddleware\n{\n public class Startup\n {\n public Startup(IConfiguration configuration)\n {\n Configuration = configuration;\n }\n\n public IConfiguration Configuration { get; }\n\n // This method gets called by the runtime. Use this method to add services to the container.\n public void ConfigureServices(IServiceCollection services)\n {\n services.AddControllers();\n }\n\n // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.\n public void Configure(IApplicationBuilder app, IWebHostEnvironment env)\n {\n if (env.IsDevelopment())\n {\n app.UseDeveloperExceptionPage();\n }\n\n app.UseHttpsRedirection();\n app.UseAntiXssMiddleware();\n app.UseRouting();\n app.UseAuthorization();\n app.UseEndpoints(endpoints =>\n {\n endpoints.MapControllers();\n });\n }\n }\n}Step 9: Now build and run the solution.
\nAs we run the default API which is https://localhost:44369/weatherforecast we will get the below response.
[\n {\n "date": "2020-08-21T11:58:40.0289718+05:30",\n "temperatureC": 27,\n "temperatureF": 80,\n "summary": "Sweltering"\n },\n {\n "date": "2020-08-22T11:58:40.0289896+05:30",\n "temperatureC": 21,\n "temperatureF": 69,\n "summary": "Cool"\n },\n {\n "date": "2020-08-23T11:58:40.0289899+05:30",\n "temperatureC": -20,\n "temperatureF": -3,\n "summary": "Hot"\n },\n {\n "date": "2020-08-24T11:58:40.0289901+05:30",\n "temperatureC": 21,\n "temperatureF": 69,\n "summary": "Sweltering"\n },\n {\n "date": "2020-08-25T11:58:40.0289902+05:30",\n "temperatureC": 2,\n "temperatureF": 35,\n "summary": "Balmy"\n }\n]Now if we inject any script in the above url like https://localhost:44369/weatherforecast<script></script> we will get the response as
{\n "ErrorCode": 500,\n "Description": "Error from AntiXssMiddleware"\n}Note:
\nIn this blog, we learnt about how to implement AntiXssMiddlware in ASP.NET Core Web Application Project. We have implemented the AntiXssMiddleware in API's QueryParam, ReuqestUri and RequestBody. So if any script is injected in QueryParam, RequestUri or RequestBody then it will give the error.
\n","frontmatter":{"date":"August 26, 2020","updated_date":null,"description":null,"title":"Implement AntiXssMiddleware in .NET Core Web","tags":["C#","ASP.NET"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/f9d627c09d3f605797e2dff0f5974a61/58556/antixss.webp","srcSet":"/static/f9d627c09d3f605797e2dff0f5974a61/61e93/antixss.webp 200w,\n/static/f9d627c09d3f605797e2dff0f5974a61/1f5c5/antixss.webp 400w,\n/static/f9d627c09d3f605797e2dff0f5974a61/58556/antixss.webp 800w,\n/static/f9d627c09d3f605797e2dff0f5974a61/99238/antixss.webp 1200w,\n/static/f9d627c09d3f605797e2dff0f5974a61/7c22d/antixss.webp 1600w,\n/static/f9d627c09d3f605797e2dff0f5974a61/25f09/antixss.webp 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","avatar":null}}}},{"node":{"excerpt":"In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software…","fields":{"slug":"/engineering/quick-kafka-installation/"},"html":"In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software platform and comes under the Apache software foundation.
\nKafka is used for real-time streams of data, to collect big data, or to do real-time analysis (or both). Kafka is used with in-memory microservices to provide durability and it can be used to feed events to complex event streaming systems and IoT/IFTTT-style automation systems.
\nKafka requires Java 8 for running. And hence, this is the first step that we should do to install Kafka. To install Java, there are a couple of options. We can go for the Oracle JDK version 8 from the Official Oracle Website.
\nStep 1: Download Apache Kafka from its Official Site.
\nStep 2: Extract tgz via cmd or from the available tool to a location of your choice:
\ntar -xvzf kafka_2.12-2.4.1.tgzStep 3: Copy the path of the Kafka folder. Now go to config inside Kafka folder and open zookeeper.properties file. Copy the path against the field dataDir and add /zookeeper-data to the path.
\n![](\"/256df753510eececf57f6146cb9b9758/zookeeper.webp\")
\nStep 4: we have to modify the config/server.properties file. Below is the change:
fileslog.dirs=C:\\kafka\\kafka-logsBasically, we are pointing the log.dirs to the new folder /data/kafka.
\nStep 1: Kafka requires Zookeeper to run. Basically, Kafka uses Zookeeper to manage the entire cluster and various brokers. Therefore, a running instance of Zookeeper is a prerequisite to Kafka.
\nTo start Zookeeper, we can open a PowerShell prompt and execute the below command:
\n.\\bin\\windows\\zookeeper-server-start.bat .\\config\\zookeeper.propertiesIf the command is successful, Zookeeper will start on port 2181.
\nStep 2: Now open another command prompt and change the directory to the kafka folder. Run kafka server using the command:
\n.\\bin\\windows\\kafka-server-start.bat .\\config\\server.propertiesNow your Kafka Server is up and running, you can create topics to store messages. Also, we can produce or consume data directly from the command prompt.
\nkafka-topics.bat --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic testkafka-console-producer.bat --broker-list localhost:9092 --topic testkafka-console-consumer.bat --bootstrap-server localhost:9092 --topic test --from-beginningIf you see these messages on consumer console,Congratulations!!! you all done. Then you can play with producer and consumer terminal bypassing some Kafka messages.
\n","frontmatter":{"date":"August 25, 2020","updated_date":null,"description":null,"title":"Setting Up and Running Apache Kafka on Windows OS","tags":["Kafka","Windows"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/41484554ead7eb70ade1abe9498282b0/58556/messagelog.webp","srcSet":"/static/41484554ead7eb70ade1abe9498282b0/61e93/messagelog.webp 200w,\n/static/41484554ead7eb70ade1abe9498282b0/1f5c5/messagelog.webp 400w,\n/static/41484554ead7eb70ade1abe9498282b0/58556/messagelog.webp 800w,\n/static/41484554ead7eb70ade1abe9498282b0/99238/messagelog.webp 1200w,\n/static/41484554ead7eb70ade1abe9498282b0/7c22d/messagelog.webp 1600w,\n/static/41484554ead7eb70ade1abe9498282b0/a9f42/messagelog.webp 2700w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Ashish Sharma","github":"ashish8947","avatar":null}}}},{"node":{"excerpt":"Getting Started with OAuth 2.0 OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because…","fields":{"slug":"/engineering/oauth2/"},"html":"OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because OAuth is hard, but because of the confusing facts found about OAuth on the web. So I wrote this article to explain why and how OAuth is used in very simple terms.
\nLet’s start with the basics: OAuth stands for Open Authorization. It’s a process through which an application or website can access private data from another website.\nIt provides applications the ability for “secure designated access.” For example, you can tell Google that it’s OK for abc.com to access your google account or contact without having to give abc.com your google password.
\nOAuth never share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
\nWe have a pretty good understanding of OAuth 2.0 and Terminology, let’s move further and discuss the OAuth grant type that is widely used in this protocol.
\nIn total, there are five different grant type flows defined and described to perform authorizations tasks. Those are
\nThe Authorization Code Grant Type is the most commonly used grant type.
\n![\"Authorization](\"/47e9006e434b8236e62cf478cf75e1ef/image4.webp\")
The Story: A user tries to log in on abc.com but he can’t remember his password and he discovers an option to sign in with google, by clicking on this, the user will easily get logged using google account.
\nFlow
\nThe client redirects the user to the authorization server having the following parameters in the query string.
\nStep 1
\nAfter successful authentication, the user will be redirected to the Consent screen where he needs to provide consent to abc.com to access the account detail.\nAuthorization code is generated by the authorization server and sent back to the client with redirect Uri.
\nStep 2\nThe client will now send a POST request to the authorization server with the following parameters:
\nIn the entire flow, the access token is never exposed to a web browser.
\nThe Implicit flow was a simplified OAuth flow previously recommended for client-side applications like JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.
\n![\"Implicit](\"/14a734511c957c8301b0085584c59814/image2.webp\")
The Story: In this flow abc.com directly get access token without an extra authorization code exchange steps and able to access resources on a resource server
\nFlow
\nThe client will redirect the user to the authorization server with the following parameters in the query string:
\nIt is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
\nThe resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
\nThis grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.
\nFlow
\nThe client will ask the user for their authorization credentials (usually a username and password).\nThe client then sends a POST request with following body parameters to the authorization server:
\nUsing this flow the client can request an access token using only its client credentials (or other supported means of authentication).
\n![\"Client](\"/ea2d4e2857578a4ac594bac0213a684c/image3.webp\")
The Story: The client application presents its client credentials (client identifier and client secret) to the authorization server requesting approval to access the protected resource (owned by the client application) on the resource server.\nThe authorization server authenticates the client credential and issues an access token.
\nFlow
\nThe client sends a POST request with following body parameters to the authorization server:
\nAccess tokens eventually expire, however, some grants respond with a refresh token which enables the client to refresh the access token.
\nFlow
\nThe client sends a POST request with following body parameters to the authorization server:
\nI hope you got an idea of how OAuth works and why it is needed. Now it’s time for you to go explore, find out more about the OAuth flow and implement it into your application.\nGood Luck and have fun! Thank you for following this article and hope it helped you! Please do buzz me if you want any help: indrasen.kumar@loginradius.com
\n","frontmatter":{"date":"August 24, 2020","updated_date":null,"description":"Using this blog one can easily understand the basic concept of Oauth 2.0","title":"Getting Started with OAuth 2.0","tags":["Engineering","Oauth","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/2b98b97b1a199e3e7378bcf740073407/58556/oauth2.webp","srcSet":"/static/2b98b97b1a199e3e7378bcf740073407/61e93/oauth2.webp 200w,\n/static/2b98b97b1a199e3e7378bcf740073407/1f5c5/oauth2.webp 400w,\n/static/2b98b97b1a199e3e7378bcf740073407/58556/oauth2.webp 800w,\n/static/2b98b97b1a199e3e7378bcf740073407/1fb14/oauth2.webp 960w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Indrasen Kumar","github":"indrasen715","avatar":null}}}},{"node":{"excerpt":"What is the Rest API? RESTful programming provides stateless and a uniform interface, Rest API is HTTP-based URLs that hide the back-end…","fields":{"slug":"/engineering/best-practice-guide-for-rest-api-security/"},"html":"RESTful programming provides stateless and a uniform interface, Rest API is HTTP-based URLs that hide the back-end infrastructure from the user. Rest APIs provide the back end for modern web and mobile applications.
\nRest APIs are the most important layer in the back-end infrastructure for most modern applications. Cybercriminals are increasingly targeting APIs. Ensuring web API security is the most important and crucial. Let’s see what you can do to ensure REST API security.
\nAPI security start with Http Connection. All requests from clients to your API should be encrypted (HTTPS). Unfortunately, many client HTTP do not enable HTTPS/secure connections by default it’s necessary to enforce that from the server. When Clients who attempt to connect via HTTP should forcefully be redirected to secure HTTPS connections.
\nYou can use HTTP Strict Transport Security security header enforcing Https for web and You can return error for API in case Rest API call on HTTP
\nYou can get a free certificate with Let's Encrypt. SSL provides security from basic API vulnerabilities with almost minimal effort
\nA Distributed Denial of Service (DDoS) is a targeted cyber attack on a web site or device where a malicious attacker flood of traffic is sent from single or multiple sources. the main purpose of DDos is to make a machine or network resource unavailable to its genuine users by temporarily or disrupting services of a host connected to the Internet. if we are not using appropriate security practice or tools then it makes RESTful API into a non-functional situation.
\nAPI DoS attacks are more common these days. Rest APIs utilizations also increasing day-by-day. The organization's dependency is increasing day-by-day because of business needed a unified platform. An attacker can use multiple ways for the DDoS attack so as developer or security engineer you need to implement long-term solution not a temporary
\nAttackers can make so many repeated calls on the APIs. it can make resources unavailable to its genuine users. A rate limit is the number of API calls an app or user can make within a given period. When this limit is exceeded, block API access temporarily and return the 429 (too many requests) HTTP error code.
\nI m adding node js examples to implement the rate limit. multiple npm packages are available for node js
\nNodeJs
\nimport rateLimit from 'express-rate-limit';\n\nexport const apiRatelimit = rateLimit({\n windowMs: 60 * 60 * 1000, // 1 hrs in milliseconds\n max: 100,\n message: 'You have exceeded the 100 requests in 1 hrs limit!', \n headers: true, // it will add X-RateLimit-Limit , X-RateLimit-Remaining and Retry-After Headers in the request \n});\n\n// you can add this in the middleware. it will apply rate limit for the all requests \napp.use(apiRatelimit);Active cache means if the service first attempts to read from the cache backend and falls back to reading from the actual source. The service is not dependent or requesting the data from the actual upstream server. a cache backend is a key-value store (e.g. Redis) or In-Memory cache and the actual source of data is an SQL, MongoDB, etc.
\nPassive cache architecture ensures high volume traffic never hit to actual server or service.
\nI m adding node js examples to implement the passive cache. multiple npm packages are available for node js
\nNodeJs
\nimport nodeCache from "node-cache";\n\nconst myCache = new nodeCache();\n\n// set object in the cache \n\nobj = { userid: 909887, name: "example" };\n\nsuccess = myCache.set( "userKey", obj, 600 ); // ttl is 600 seconds \n\n\n//read object from the cache \nvalue = myCache.get( "userKey" );\nif ( value == undefined ){\n\t// handle miss!\n}Sensitive data exposure happens when an application, organization, or other entity unable to properly secure sensitive data. It is different from a data breach, it includes personal information, tokens, etc. We can make sure sensitive data security using
\nmultiple ways which include encryption at rest or in transit and masking
Cross-Site Scripting (XSS) attacks are a type of injection, in which attacker aims to execute malicious scripts in a web browser of the victim. an attacker can transfer untrusted data into the API as part of a query or command.which can result in an attacker obtaining unauthorized access to information or carry out other damages.
\nAt the point where user input is received, filter as strictly as possible based on what is expected or valid input.
\nTo prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
\nIf you want to know more details about the security headers. Please go to Security Headers
\nAs a last line of defense against attackers, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
\nNode js we can use xss-clean package. This dependency will prevent users from inserting HTML & Scripts on input.
NodeJs
\nimport xssClean from "xss-clean";\n\n// Use this as middleare \napp.use(xssClean())We can discover suspicious activity using proper logging and monitoring. When We have insufficient logging and monitoring in that case sometimes we can miss some system access or user activity logs, a step of the particular activity and security alerts.
\nA lot of logging and monitoring tools are available. We can choose the best tools as per our requirement also we can define some policies like data retention policy that includes how far backlogs will be kept. Instrument your API access actions to record key metrics and events. Keep logs indexable and searchable.
\nEach API should limit access, API only able to perform what tasks they need to do. We can do this with Role-Based Access, separate read/write API Keys, OAuth Scopes, and permissions systems. This minimizes the chances that you’ll accidentally expose a sensitive field.
\nSometimes, people find security vulnerabilities, and they would like to report them so the vendor or the developer can fix them. you must have a public contact point where security issues can be reported.
\nWe can create a security.txt file on the site. security.txt is a proposed standard for websites' security information that will allow security researchers to easily report security vulnerabilities. The \"security.txt\" that is similar to robots.txt. security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook
You can easily create secuirty.txt file using the securitytxt.org
Now days lot of data breaches are happing. We can save mostly data breaches after following some basic security guidelines.You have to pay attention to security during Rest API development. I have covered most of the general Rest API security issues with resolution. these guidelines will help you for developing more secure and quality REST API service.
\n","frontmatter":{"date":"August 20, 2020","updated_date":null,"description":null,"title":"Best Practice Guide For Rest API Security | LoginRadius","tags":["RestAPI","Rest API","Rest API Security","Best Practice","Rest API Developer Guide","Security"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/0072087246a78a28a06a6c6744a6823a/58556/index.webp","srcSet":"/static/0072087246a78a28a06a6c6744a6823a/61e93/index.webp 200w,\n/static/0072087246a78a28a06a6c6744a6823a/1f5c5/index.webp 400w,\n/static/0072087246a78a28a06a6c6744a6823a/58556/index.webp 800w,\n/static/0072087246a78a28a06a6c6744a6823a/99238/index.webp 1200w,\n/static/0072087246a78a28a06a6c6744a6823a/7c22d/index.webp 1600w,\n/static/0072087246a78a28a06a6c6744a6823a/25f09/index.webp 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"In this blog we will learn how to create our own webpack configuration to bundle a small JavaScript utility library using webpack and babel…","fields":{"slug":"/engineering/write-a-javascript-library-using-webpack-and-babel/"},"html":"In this blog we will learn how to create our own webpack configuration to bundle a small JavaScript utility library using webpack and babel.
\nLet's create the source code for our library. For that we will be create two utility functions into two separate files in our source folder.
\ndemo and run following command in it. $ npm init -yThe above command will create a package.json in your project root. I am using a --y to initialize it with default options.
Directory Structure
\ndemo\n |-- src/\n |-- package.jsonLet's add our source code into src directory:
src\n |--index.js\n |--capital.js\n |--addDOMContent.jsOur utility library contains two functions capital, to capitalize a string and addDOMContent, to add content to a web page, each in it's own module.
capital.js
function capital(string) {\n const capitalizedString =\n string.substring(0, 1).toUpperCase() + string.substring(1)\n return capitalizedString\n}\n\nexport default capitaladdDOMContent.js
function addDOMContent(content) {\n const node = document.createElement("h1")\n node.innerText = content\n document.body.appendChild(node)\n}\n\nexport default addDOMContentInside our index.js, we will import these two functions.
index.js
import capital from "./capital"\nimport addDOMContent from "./addDOMContent"\n\nexport { capital, addDOMContent }So far we got the source code ready but we still need to bundle it so that the browsers can understand and oh boy!, we need to support some older browsers too 🙄. Anyway, being responsible developers we are going to do that 😎.
\n $ npm i --save-dev webpack webpack-cli @babel/core @babel/preset-env babel-loaderWe need webpack to bundle our code and webpack-cli is a command-line tool that uses webpack to do the same. Also webpack requires babel-loader to transpile our ES6 code to ES5 before bundling (Remember, what I said about being responsible developers 😃).
4.1. Create a webpack.config.js at the root of the project.
webpack.config.js
const path = require("path")\n\nmodule.exports = {\n entry: path.resolve(__dirname, "src/index.js"),\n output: {\n path: path.resolve(__dirname, "dist"),\n filename: "index_bundle.js",\n library: "$",\n libraryTarget: "umd",\n },\n module: {\n rules: [\n {\n test: /\\.(js)$/,\n exclude: /node_modules/,\n use: "babel-loader",\n },\n ],\n },\n mode: "development",\n}There are a couple of things we need to understand about webpack configuration. Stay with me for a couple more minutes.
\nentry: In order for webpack to know where to start with, it needs to know the entry point to our app.module.rules: Each file in Node is treated like a module. Webpack itself understands only Javascript and JSON modules. Since we want to transpile ES6, we need babel-loader and webpack needs to know the rules on how to process the Javascript using the given loader.output: After creating the bundle, webpack needs to know what name to give it and where to put it.library and libraryTarget are used to expose our library where library being the name,$ here and libraryTarget is the property to configure, how the library will be exposed. Here we will be using UMD. UMD is a module system capable of working everywhere, be it in the client, on the server or elsewhere.mode: Webpack bundles code into either development mode (unminified) or in production(minified) mode. I am using a hard coded value here for the demo. You can set it using environment variables too.
\n4.2. Create a .babelrc file at the root of the project.
.babelrc
{\n presets: ["@babel/preset-env"]\n}@babel/preset-env let's us use the latest Javascript without any polyfills and syntax transforms.babel-loader uses babel under the hood.
By Now our Project Structure should look like this:
\ndemo\n|-- src\n| |-- index.js\n| |-- capital.js\n| |-- addDOMContent.js\n|-- webpack.config.js\n|-- .babelrc\n|-- package.json\n|-- node_modulesWe have added our source files, now let's add an npm script to build final code using webpack and modify the main property inside our package.json to point it to our bundled code.
package.json
{\n "name": "demo",\n "version": "1.0.0",\n "description": "",\n+ "main": "dist/index_bundle.js",\n+ "scripts": {\n+ "build": "webpack"\n+ },\n "keywords": [],\n "author": "Hridayesh Sharma",\n "license": "ISC",\n "dependencies": {},\n "devDependencies": {\n "@babel/core": "^7.10.4",\n "@babel/preset-env": "^7.11.0",\n "babel-loader": "^8.1.0",\n "webpack": "^4.44.1",\n "webpack-cli": "^3.3.12",\n }\n}In package.json the main property is a direction to the entry point of the module that the package.json is describing.
Run $npm run build to generate the bundled code and use it in the next step.
index.html
<!DOCTYPE html>\n<html lang="en">\n <head>\n <meta charset="UTF-8" />\n <meta name="viewport" content="width=device-width, initial-scale=1.0" />\n <title>Demo</title>\n </head>\n <body>\n <script src="dist/index_bundle.js"></script>\n <script>\n console.log($)\n alert($.capital("hridayesh"))\n $.addDOMContent("Well It Works Fine!!!")\n </script>\n </body>\n</html>Save it and run it in your browser. You will see the name capitalized.
\nThe complete code is available at LoginRadius Engineering Blog Sample Repo
\nThanks for reading the blog. For detailed information and execution example of this blog, please refer to the video below:
\n\n","frontmatter":{"date":"August 18, 2020","updated_date":null,"description":"Writing your own webpack configuration for a JavaScript library in ES6 and learn webpack along the way.","title":"Let's Write a JavaScript Library in ES6 using Webpack and Babel","tags":["JavaScript","Webpack","NodeJs"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/b9b74a766ec8c0c06733b438fefae5ae/58556/cover.webp","srcSet":"/static/b9b74a766ec8c0c06733b438fefae5ae/61e93/cover.webp 200w,\n/static/b9b74a766ec8c0c06733b438fefae5ae/1f5c5/cover.webp 400w,\n/static/b9b74a766ec8c0c06733b438fefae5ae/58556/cover.webp 800w,\n/static/b9b74a766ec8c0c06733b438fefae5ae/cc834/cover.webp 1024w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hridayesh Sharma","github":"vyasriday","avatar":null}}}},{"node":{"excerpt":"Every Web Developer should know about cross-domain security While working in the world of the internet, all of the complex systems are…","fields":{"slug":"/engineering/cross-domain-security/"},"html":"While working in the world of the internet, all of the complex systems are interconnected in a shareable environment. But exposing systems in the outer world will invite security vulnerabilities and data breach for the organization. Cross-domain security address this security threat by enabling information sharing in more reliable and secure environments. Cross-domain security is an inclusive approach to defending against all kinds of threats to data connections at the boundaries of sensitive or classified networks.
\nThere is no way of being 100% protected from being hacked. If anyone ever tells you that, they are wrong.
\nYou can’t just say…
\n\n\n\"Oh, because I even have CSP implemented, I am safe. I can cross out cross-site scripting from my vulnerabilities list because that can’t happen now.\"
\n
Maybe that is a given to some, but it is easy to find yourself thinking in this manner. In my opinion one reason that programmers can easily find themselves thinking this way is because so much of coding is black and white, 0 or 1, true or false. Security is not that so simple.
\nHave you ever gotten an error that looked something like this?
\nNo 'Access-Control-Allow-Origin' header is available on the requested resource. Origin 'null' is therefore not allowed access.You are certainly not alone. And then you Google it, and someone tells you to urge this extension which will make all of your problems go away!
\n\n\nAwesome, right?
\n
CORS is there to protect you, not hurt you!
\nIn order to explain how CORS helps you, let’s starts about cookies, specifically authentication cookies. Authentication cookies are wont to tell a server that you are simply logged in, and that they are automatically sent with any request you make to that server.
\n\n\nLet’s think you’re logged in to yahoo, and they use authentication cookies. You click on bit.ly/r43nugi which redirects you to cryptoearn. A script within cryptoearn makes a client-side request to yahoo.com which sends your authentication cookie!
\n
In a no-CORS world, they might make changes to your account without you even knowing. Until, obiviously , they post bit.ly/r43nugi on your timeline, and everyone of your relative orfriends click on thereon, and then the cycle continues in an evil breadth-first scheme that conquers all of yahoo’s users, and the world is consumed by cryptoearn. ?
\nIn CORS world, however, yahoo would only allow requests with an origin of yahoo.com to edit data on their server. In other words, they might limit cross-origin resource sharing. You might then ask…
\n\n\nWell can cryptoearn just change the origin header on their request, so that it looks like it is coming from *yahoo.com?*
\n
They will try, but it won’t work because the browser will just ignore it and use the actual origin.
\n\n\nOk, but what if cryptoearn made the request server-side?
\n
In this case, they can bypass CORS, but they can't crack this because they won’t be ready to send your authentication cookie along for the ride. The script should be executed on the client side to urge access to your client side cookies.
\n\n\nServers are generally host web sites, applications, images, fonts, and many more. When you use any browser, you are likely attempting to access a definite website (that is hosted on a server). Websites often request these hosted resources from different locations (servers) on the web. Security policies on servers mitigate the risks associated with requesting assets hosted on distinct server. Let’s take a glance at an example of a security policy: same-origin.\nThe **same-origin *policy is very restrictive. Under this policy, a document (i.e., sort of a web page) hosted on server A can only interact with other documents that also are on server A. In short, the same-origin policy enforces that documents that interact with one another have the same *origin.
\n
The CORS standards manage cross-origin requests by adding a new HTTP headers to the standard list of headers. The following are the new HTTP headers added by the CORS standard:
\nTo dig in to CSP, we first need to talk about one of the most common vulnerabilities on the web: XSS, which means cross-site scripting.
\nXSS is when some evil guy injects JavaScript into your client-side code. You might think…
\n\n\nWhat are they going to do? Change a color from red to blue?
\n
Let’s think of someone has successfully injected JavaScript into client-side code of a website you are visiting.
\nWhat could they do that would be malicious?
\nThe possibilities are endless.
\nCSP is something prevent this from happening by limiting:
\nwhere requests can be made, etc.
\nSo how does it work?
\nWhenever you click on a link or type a website URL in the address bar of your internet browser, your browser makes a GET request. It eventually makes its way to a server which serves up HTML along with HTTP headers. for more details about what headers, open up the Network tab in your console, and visit some sites.
\nYou might see a response header that looks like below:
\ncontent-security-policy: default-src * data: blob:;script-src *.yahoo.com *.fbcdn.net *.yahoo.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.yahoo.com yahoo.com *.fbcdn.net *.yahoo.net *.spotilocal.com:* wss://*.yahoo.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;That is the content security policy of yahoo.com. Let’s reformat it to make it easier to read:
\ncontent-security-policy:\ndefault-src * data: blob:;\n\nscript-src *.yahoo.com *.fbcdn.net *.yahoo.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self';\n\nstyle-src data: blob: 'unsafe-inline' *;\n\nconnect-src *.yahoo.com yahoo.com *.fbcdn.net *.yahoo.net *.spotilocal.com:* wss://*.yahoo.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;Now, let’s break down the directives.
\nNote: there are many more CSP directives than just these four shown above. The internet browser will read the CSP header and apply those directives to everything within the HTML file that was served. If the directives are set correctly, they allow only what is required.
\nIf there is no CSP header is present, then everything goes, and nothing is restricted. Everywhere you see * , that is a wildcard. You can think of replacing * with anything and it will be allowed.
\nSecurity is something that should be important to everyone, not just the people who have it explicitly named in their job title, and always try to have additional layer for better security.
\n","frontmatter":{"date":"August 16, 2020","updated_date":null,"description":"Cross domain security address security threat by enabling the information sharing in more reliable and secure environments. Cross domain security is an inclusive approach to defending against all kind of threats to data connections at the boundaries of sensitive or classified networks.","title":"Cross Domain Security","tags":["Security","Web Security","Cross-Domain"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/f2c34b70cad9028b5628b052956b4561/58556/cross_domain_security.webp","srcSet":"/static/f2c34b70cad9028b5628b052956b4561/61e93/cross_domain_security.webp 200w,\n/static/f2c34b70cad9028b5628b052956b4561/1f5c5/cross_domain_security.webp 400w,\n/static/f2c34b70cad9028b5628b052956b4561/58556/cross_domain_security.webp 800w,\n/static/f2c34b70cad9028b5628b052956b4561/99238/cross_domain_security.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Abhimanyu Singh Rathore","github":"abhir9","avatar":null}}}}]},"markdownRemark":{"excerpt":"Introduction Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT…","fields":{"slug":"/engineering/how-to-integrate-jwt/"},"html":"Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT, or JSON Web Tokens, a compact, stateless method for securely transmitting user identity and session data across services.
\nWith JWT token authentication, identity information is embedded in a signed token, allowing you to maintain user sessions without server-side storage. This approach is highly scalable and ideal for modern architectures like SPAs, mobile apps, and microservices.
\nIn this blog, we’ll walk you through what is JWT, why use it, and how to implement JWT authentication using LoginRadius.
\nYou’ll learn what JWT is, why it’s effective, and how it works in real-world applications. We'll cover both integration methods (IDX and Direct API), generating your signing key, managing sessions, storing the JWT token securely, and applying best practices throughout.
\nWhether you're a developer, product manager, or IAM architect, this guide offers a complete foundation for implementing JWT token authentication into your application stack.
\nJSON Web Token (JWT) is an open standard (RFC 7519) used to transmit information securely between parties as a JSON object. It’s compact, self-contained, and digitally signed, making it a reliable format for authentication and authorization across modern applications.
\nA JWT consists of three parts:
\nExample of a token structure:
\n<base64Header>.<base64Payload>.<signature>
\n![\"Flowchart](\"/f29edbf2978577390c7ffa02e9bc4dda/lr-JWT-authentication.webp\")
JWT simplifies identity verification, especially when you're building apps that talk to APIs or need to scale without centralized session storage.
\nLoginRadius provides robust support for JWT (JSON Web Token) authentication, which allows for flexible and secure access control across different digital platforms. Whether you're building a fully custom identity flow or using a pre-built interface, the platform supports various integration approaches depending on your architecture.
\nIf you're looking to understand how to implement JWT token authentication effectively, LoginRadius offers two primary implementation models that cater to different levels of customization and control:
\nThe IDX-hosted login approach enables secure, standards-compliant, JWT-based authentication without requiring you to build a custom login interface. This is a strategic option for fast, compliant, and user-friendly deployments.
\n![\"Screenshot](\"/9fb19dd9c88c7916aeebd03ab6e661b7/lr-admin-console.webp\")
{
\n\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR...\",
\n\"expires_in\": 1800
\n}
\nThis integration approach works best for all teams that want effective identity workflows without the complexity of building proprietary login screens, something that is crucial for customer portals, onboarding of mobile applications, and even managing access for business partners.
\nIf you’re building a custom login UI or working in a headless environment, LoginRadius lets you generate and handle JWTs directly through its Authentication APIs. Here’s how you can programmatically perform token authentication using the classic method:
\nSend a POST login request to the LR Authentication URL:
\nPOST /identity/v2/auth/login
\nInclude the user’s credentials (email + password) in the request body.
\n{
\n\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",
\n\"expires_in\": 3600
\n}
\nWith LoginRadius, it is possible to customize the payload to include user roles and/or any additional metadata. You can set custom JWT claims on the Admin Console.
\nWith this method, you have complete customization over login flows while using LoginRadius to issue signed JWTs for user session management.
\nNOTE- With either method, LoginRadius ensures that JWTs are securely signed, optionally short-lived, and compatible with standard token validation libraries, making integration seamless for everyone.
\nTo get started with JWT implementation, you can read our complete developer documentation.
\n![\"Illustration](\"/15ec02ac98d24a9f1f28e5d0f06b9174/IDX-vs-Direct-API-JWT.webp\")
Session management is how your app keeps track of a user after they log in so they don’t have to prove who they are with every request.
\nIn traditional apps, sessions are stored on the server using session IDs. Every time a request comes in, the server checks that session ID to verify the user.
\nIn modern apps, especially SPAs and APIs, JWTs are used to manage sessions without needing server-side storage; this is called stateless session management. The token itself carries the user’s identity, roles, and expiration details. As long as the token is valid, the user stays logged in.
\nGood session management ensures:
\nUser Logs In
\nClient Stores the Token
\nAccess Token Expiry
\nToken Renewal
\nWhen the user logs out, both the access token and refresh token should be cleared from client storage.
\nHowever, access tokens are stateless and cannot be revoked mid-lifecycle unless:
\nCombining these strategies gives you greater control over token misuse and enables a robust, enterprise-grade logout flow.
\n![\"illustration](\"/e55ae4bbc8ce62e13f03e46e29ebe7cc/api-economy.webp\")
When you implement JWT-based authentication, the client (browser or mobile app) needs a way to store the access token and, optionally, the refresh token after they are issued by the authentication server. This stored token is then attached to every subsequent request to prove the user's identity.
\nChoosing where to store the JWT is a crucial security decision. The most common storage options are:
\nEach option has trade-offs between security, accessibility, and persistence, and the right choice depends on your application's architecture and threat model.
\nAccess Tokens
\nRefresh Tokens
\nJWT authentication with LoginRadius offers a modern, stateless approach to managing sessions across distributed systems. The IDX integration is ideal for rapid deployment, while the Direct API model is best for organizations needing deep customization and integration flexibility.
\nWith robust token signing, refresh capabilities, and centralized control, LoginRadius provides a future-ready foundation for secure, scalable identity architecture. Contact us to know more about JWT authentication and implementation guide.
\nA: JWT authentication securely verifies user identities, enabling stateless session management across web, mobile apps, and microservices without server-side session storage.
\nA: LoginRadius simplifies JWT integration by offering hosted IDX login pages and direct API-based authentication methods, enabling rapid deployment and deep customization.
\nA: Yes, JWT authentication is secure when implemented with best practices like short-lived tokens, secure storage methods, signature validation, and refresh token rotation.
\nA: Yes, LoginRadius allows revocation of JWT refresh tokens explicitly, and supports strategies like short-lived tokens and key rotation to manage token lifecycles securely.
\n","frontmatter":{"date":"April 15, 2025","updated_date":null,"description":"Discover JWT (JSON Web Token) authentication, its advantages, and how to integrate it seamlessly using LoginRadius' hosted IDX and Direct API methods for secure, scalable identity management.","title":"JWT Authentication with LoginRadius: Quick Integration Guide","tags":["JWT","JSON Web Token","Authentication","Authorization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":0.7782101167315175,"src":"/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp","srcSet":"/static/4cedb7829f98208cbc6d5a9aea4e983d/61e93/how-to-integrate-jwt.webp 200w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1f5c5/how-to-integrate-jwt.webp 400w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp 800w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1cc9f/how-to-integrate-jwt.webp 896w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"avatar":null}}}},"pageContext":{"limit":6,"skip":180,"currentPage":31,"type":"//engineering//","numPages":53,"pinned":"5c425581-f474-5ae9-abe7-cf5342db2aaa"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}